ensured that the regular expressions for rewriting JavaScript eval usage do not match "$eval", only "eval" identifier (#493)

added tests for new JS eval rewriting regex tweaks
2025-03-15 00:03:28 +01:00 · 2019-07-31 18:03:42 -04:00 · 2019-07-31 18:03:42 -04:00 · 511c6f7985
commit 511c6f7985
parent ffca45c855
2 changed files with 18 additions and 2 deletions
--- a/pywb/rewrite/regex_rewriters.py
+++ b/pywb/rewrite/regex_rewriters.py
@ -103,9 +103,9 @@ if (thisObj && thisObj._WB_wombat_obj_proxy) return thisObj._WB_wombat_obj_proxy

        rules = [
            # rewriting 'eval(....)' - invocation
-            (r'\beval\s*\(', self.add_prefix('WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).'), 0),
+            (r'(?<![$])\beval\s*\(', self.add_prefix('WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).'), 0),
            # rewriting 'x = eval' - no invocation
-            (r'\beval\b', self.add_prefix('WB_wombat_'), 0),
+            (r'(?<![$])\beval\b', self.add_prefix('WB_wombat_'), 0),
            (r'(?<=\.)postMessage\b\(', self.add_prefix('__WB_pmw(self).'), 0),
            (r'(?<![$.])\s*location\b\s*[=]\s*(?![=])', self.add_suffix(check_loc), 0),
            # rewriting 'return this'
--- a/pywb/rewrite/test/test_regex_rewriters.py
+++ b/pywb/rewrite/test/test_regex_rewriters.py
@ -212,7 +212,23 @@ r"""
 >>> _test_js_obj_proxy(r'this. location = http://example.com/')
 'this. location = ((self.__WB_check_loc && self.__WB_check_loc(location)) || {}).href = http://example.com/'

+>>> _test_js_obj_proxy('eval(a)')
+'WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(a)'

+>>> _test_js_obj_proxy('this.$eval(a)')
+'this.$eval(a)'
+
+>>> _test_js_obj_proxy('x = this.$eval; x(a);')
+'x = this.$eval; x(a);'
+
+>>> _test_js_obj_proxy('x = eval; x(a);')
+'x = WB_wombat_eval; x(a);'
+
+>>> _test_js_obj_proxy('$eval = eval; $eval(a);')
+'$eval = WB_wombat_eval; $eval(a);'
+
+>>> _test_js_obj_proxy('window.eval(a);')
+'window.WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(a);'

 #=================================================================
 # XML Rewriting